From 3401ea9a571256b938e1dc0ab67ddca0fbeb9860 Mon Sep 17 00:00:00 2001
From: 13jksingh <jaskeerat56.93@gmail.com>
Date: Fri, 3 Nov 2023 23:33:47 +0530
Subject: [PATCH 1/3] Added a check weather forget-password token is of same
 user requesting it

---
 .../pecacm/backend/entities/PasswordVerificationToken.java   | 4 ++++
 .../backend/repository/VerificationTokenRepository.java      | 5 +++--
 src/main/java/com/pecacm/backend/services/UserService.java   | 5 +++--
 3 files changed, 10 insertions(+), 4 deletions(-)
 create mode 100644 src/main/java/com/pecacm/backend/entities/PasswordVerificationToken.java

diff --git a/src/main/java/com/pecacm/backend/entities/PasswordVerificationToken.java b/src/main/java/com/pecacm/backend/entities/PasswordVerificationToken.java
new file mode 100644
index 0000000..d6887db
--- /dev/null
+++ b/src/main/java/com/pecacm/backend/entities/PasswordVerificationToken.java
@@ -0,0 +1,4 @@
+package com.pecacm.backend.entities;
+
+public class PasswordVerificationToken {
+}
diff --git a/src/main/java/com/pecacm/backend/repository/VerificationTokenRepository.java b/src/main/java/com/pecacm/backend/repository/VerificationTokenRepository.java
index e4a12cf..5a52417 100644
--- a/src/main/java/com/pecacm/backend/repository/VerificationTokenRepository.java
+++ b/src/main/java/com/pecacm/backend/repository/VerificationTokenRepository.java
@@ -1,5 +1,6 @@
 package com.pecacm.backend.repository;
 
+import com.pecacm.backend.entities.User;
 import com.pecacm.backend.entities.VerificationToken;
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.data.jpa.repository.Modifying;
@@ -17,11 +18,11 @@ public interface VerificationTokenRepository extends JpaRepository<VerificationT
 
     @Query("SELECT "+
             "CASE " +
-            "WHEN :tokenId = (SELECT v.token from VerificationToken v ORDER BY v.createdDate DESC LIMIT 1)" +
+            "WHEN :tokenId = (SELECT v.token from VerificationToken v WHERE v.user=:user ORDER BY v.createdDate DESC LIMIT 1)" +
             "THEN TRUE " +
             "ELSE FALSE " +
             "END as result")
-    Boolean checkVerificationToken(UUID tokenId);
+    Boolean checkVerificationToken(UUID tokenId, User user);
 
     @Modifying
     void deleteByToken(UUID tokenId);
diff --git a/src/main/java/com/pecacm/backend/services/UserService.java b/src/main/java/com/pecacm/backend/services/UserService.java
index 6919a0f..9d53c86 100644
--- a/src/main/java/com/pecacm/backend/services/UserService.java
+++ b/src/main/java/com/pecacm/backend/services/UserService.java
@@ -60,10 +60,11 @@ public void addUser(User user, PasswordEncoder passwordEncoder) {
 
     @Transactional
     public void changePassword(UUID tokenId, String username, String password, PasswordEncoder passwordEncoder) {
-        if (!userRepository.existsByEmail(username)) {
+        Optional<User> user = userRepository.findByEmail(username);
+        if (user.isEmpty()) {
             throw new AcmException("Email provided does not match any of the registered users", HttpStatus.NOT_FOUND);
         }
-        if (!verificationTokenRepository.checkVerificationToken(tokenId)) {
+        if (!verificationTokenRepository.checkVerificationToken(tokenId,user.get())) {
             throw new AcmException("UUID token provided does not match, it might be expired", HttpStatus.NOT_FOUND);
         }
         if (password.isBlank() || password.isEmpty()) {

From 2ba84f1878be1930f55c0a12196f0930df031122 Mon Sep 17 00:00:00 2001
From: 13jksingh <jaskeerat56.93@gmail.com>
Date: Sat, 4 Nov 2023 00:09:13 +0530
Subject: [PATCH 2/3] Validation on expiry of the forget pswrd token and
 deleting all token on get request

---
 .../repository/VerificationTokenRepository.java       | 11 +++--------
 .../java/com/pecacm/backend/services/UserService.java |  7 ++++++-
 .../pecacm/backend/services/VerificationService.java  |  1 +
 3 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/src/main/java/com/pecacm/backend/repository/VerificationTokenRepository.java b/src/main/java/com/pecacm/backend/repository/VerificationTokenRepository.java
index 5a52417..78c3b5a 100644
--- a/src/main/java/com/pecacm/backend/repository/VerificationTokenRepository.java
+++ b/src/main/java/com/pecacm/backend/repository/VerificationTokenRepository.java
@@ -16,14 +16,9 @@ public interface VerificationTokenRepository extends JpaRepository<VerificationT
     @Query("SELECT v from VerificationToken v WHERE v.user.email = :username ORDER BY v.createdDate DESC LIMIT 1")
     Optional<VerificationToken> findByUsername(String username);
 
-    @Query("SELECT "+
-            "CASE " +
-            "WHEN :tokenId = (SELECT v.token from VerificationToken v WHERE v.user=:user ORDER BY v.createdDate DESC LIMIT 1)" +
-            "THEN TRUE " +
-            "ELSE FALSE " +
-            "END as result")
-    Boolean checkVerificationToken(UUID tokenId, User user);
-
     @Modifying
     void deleteByToken(UUID tokenId);
+
+    @Modifying
+    void deleteAllByUser(User user);
 }
diff --git a/src/main/java/com/pecacm/backend/services/UserService.java b/src/main/java/com/pecacm/backend/services/UserService.java
index 9d53c86..0b9712d 100644
--- a/src/main/java/com/pecacm/backend/services/UserService.java
+++ b/src/main/java/com/pecacm/backend/services/UserService.java
@@ -64,9 +64,14 @@ public void changePassword(UUID tokenId, String username, String password, Passw
         if (user.isEmpty()) {
             throw new AcmException("Email provided does not match any of the registered users", HttpStatus.NOT_FOUND);
         }
-        if (!verificationTokenRepository.checkVerificationToken(tokenId,user.get())) {
+        Optional<VerificationToken> token = verificationTokenRepository.findById(tokenId);
+        if (token.isEmpty() || token.get().getCreatedDate().isBefore(LocalDateTime.now().minusMinutes(15))){
+            verificationTokenRepository.deleteById(tokenId);
             throw new AcmException("UUID token provided does not match, it might be expired", HttpStatus.NOT_FOUND);
         }
+        if (token.get().getUser() != user.get()){
+            throw new AcmException("UUID token provided does not belong to the user.", HttpStatus.UNAUTHORIZED);
+        }
         if (password.isBlank() || password.isEmpty()) {
             throw new AcmException("password cannot be blank or empty", HttpStatus.BAD_REQUEST);
             // TODO: 22/10/23 add required password checks to stay consistent with frontend checks
diff --git a/src/main/java/com/pecacm/backend/services/VerificationService.java b/src/main/java/com/pecacm/backend/services/VerificationService.java
index bcb504a..64f14c7 100644
--- a/src/main/java/com/pecacm/backend/services/VerificationService.java
+++ b/src/main/java/com/pecacm/backend/services/VerificationService.java
@@ -19,6 +19,7 @@ public VerificationService(VerificationTokenRepository verificationTokenReposito
 
     @Transactional
     public VerificationToken getVerificationToken(User user) {
+        verificationTokenRepository.deleteAllByUser(user);
         return verificationTokenRepository.save(
                 VerificationToken.builder().user(user).build()
         );

From 2c2d0f4a574324931c86e01c2a3d1a06cc40644e Mon Sep 17 00:00:00 2001
From: 13jksingh <jaskeerat56.93@gmail.com>
Date: Sat, 4 Nov 2023 11:00:51 +0530
Subject: [PATCH 3/3] PasswordToken entity removed

---
 .../pecacm/backend/entities/PasswordVerificationToken.java    | 4 ----
 1 file changed, 4 deletions(-)
 delete mode 100644 src/main/java/com/pecacm/backend/entities/PasswordVerificationToken.java

diff --git a/src/main/java/com/pecacm/backend/entities/PasswordVerificationToken.java b/src/main/java/com/pecacm/backend/entities/PasswordVerificationToken.java
deleted file mode 100644
index d6887db..0000000
--- a/src/main/java/com/pecacm/backend/entities/PasswordVerificationToken.java
+++ /dev/null
@@ -1,4 +0,0 @@
-package com.pecacm.backend.entities;
-
-public class PasswordVerificationToken {
-}